14 results (0.012 seconds)

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions on the 0.5 branch prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. • https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication. pyload es un administrador de descargas de código abierto escrito en Python puro. Un usuario autenticado puede cambiar la carpeta de descarga y cargar una plantilla manipulada en la carpeta especificada, lo que lleva a la ejecución remota del código. No hay ninguna solución disponible en el momento de la publicación. • https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451. pyLoad es un administrador de descargas de código abierto escrito en Python puro. Existe una vulnerabilidad de redireccionamiento abierto debido a la validación incorrecta de los valores de entrada al redirigir a los usuarios después de iniciar sesión. pyLoad valida las URL a través de la función `get_redirect_url` cuando redirige a los usuarios al iniciar sesión. Esta vulnerabilidad se ha solucionado con el commit fe94451. • https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 7.5EPSS: 36%CPEs: 3EXPL: 2

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77. pyLoad es el administrador de descargas gratuito y de código abierto escrito en Python puro. Cualquier usuario no autenticado puede navegar a una URL específica para exponer la configuración de Flask, incluida la variable `SECRET_KEY`. Este problema se solucionó en la versión 0.5.0b3.dev77. • https://github.com/ltranquility/CVE-2024-21644-Poc https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40 https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv • CWE-284: Improper Access Control •

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77. pyLoad es el administrador de descargas gratuito y de código abierto escrito en Python puro. Se identificó una vulnerabilidad de inyección de registros en "pyload" que permite a cualquier actor no autenticado inyectar mensajes arbitrarios en los registros recopilados por "pyload". • https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •